- From: Harry Halpin <hhalpin@w3.org>
- Date: Tue, 25 Oct 2011 12:17:32 +0100 (BST)
- To: public-identity@w3.org
> On 2011-10-18 21:58, Harry Halpin wrote: >>> On 18 Oct 2011, at 21:05, Harry Halpin wrote: >>>>> sounds good, but why no mention of WebID? >>>>> Henry >>>> At the workshop, it seemed people wanted to focus on API based work first >>>> such as the Crypto API, and certificates were discussed but thought of >>>> as >>>> out-of-scope for this future working group, although the W3C would be happy to see future work around certificates (everyone agrees current situation is a mess). The one idea that came up was a possible future workshop focused more narrowly on certificates. > > A problem as I see it is that the people from "The Big Three" at the workshop do not really represent their employers' ideas of what is *important*. Here follows a few recent real-world examples: > > > The neat enrollment scheme in iPhone which Apple didn't even mention when <keygen> was standardized [*] by the W3C: Please note that of course employees speak as individuals, but that your examples rely on the mistaken assumption that <keygen> is a W3C Recommendation, which it is not. <keygen> for many years (at least over a decade) was supported only by Netscape and a source of confusion amongst developers, and thus was avoided on the Web. HTML5 is still a Working Draft, although HTML5 is special insofar as it 'de-facto' widely implemented, with <keygen> being proposed in 2009 as part of HTML5. However, <keygen> is still controversial - see Adrian Bateman's reasoning over why keygen is not implemented by IE yet and why they would like it dropped [2]. That also seems to be a pretty good line of reasoning about why it's not widely used by Web developers. > > http://images.apple.com/iphone/business/docs/iPhone_OTA_Enrollment_Configuration.pdf > > > How enrollment works in this Microsoft preview is currently secret because the TCG considered this out-of-scope although it is a > prerequisite for the demo: > > http://channel9.msdn.com/Events/BUILD/BUILD2011/HW-462T > > > Almost nothing of this solution is currently publicly documented: > > http://mail.google.com/wallet > > > The once very hyped Liberty Alliance Project succeeded fairly > well except on the client side which again shows that mucking > around in the client is more than difficult. > > > My conclusion is that the traditional way of establishing standards is gone. With the new "Super Providers" Apple and Google, who own entire > ecosystems, from the devices to services, the motives for standardization > seems pretty marginal. I have therefore in my private "standardization efforts" focused on things that Apple and Google do not consider core business such as upgrading smart cards to work in a web world: > > http://webpki.org/papers/keygen2/sks-keygen2-exec-level-presentation.pdf > The W3C looking for constructive input, ideally in terms of textual changes to clarify the scope, and input on how smartcards could work in the Web via a Crypto API would be of interest. Also note that Webkit and Mozilla are actually open-source projects too, so if you can try to contribute via code that's possible. That is usually the best way to get attention at this stage. > The primary issue with standardization in the case of universal web identity > solutions is that there is no money in it unless your job is "to standardize". > Essentially only "The Big Three" really have such resources as well :-( > > > How about WebID? Well, this is primarily a deployment issue which fate also is the hands of the "Super Providers". There were also clear security issues pointed out by Brad Hill with WebID and this dominated the workshop discussion of it and it is unclear if Brad or anyone found them addressed [2]. Also note that TLS/cert purchase is generally not a problem for larger providers, but for smaller operations. Again, as per the workshop discussions, we're aiming at generic APIs as per the workshop, not at any identity "solution." So, I think the most productive thing to do would be to figure out if there is a reasonable "smartcard" story that would make sense as part of the chartered work here and that could get widespread support. [1]http://lists.w3.org/Archives/Public/public-html/2009Sep/0043.html [2]http://lists.w3.org/Archives/Public/public-xg-webid/2011May/0127.html > > Anders > > *] A proper market analysis would have revealed that <keygen> de-facto has less than 5% market-share for on-line enrolled certificates and therefore never was a candidate for standardization in spite of being supported by most browser vendors except Microsoft. > > > > > > >>> The WebID working group is not a working group about certificates. It is >>> about tying >>> TLS/SSL to identity to the web using simple web architecture. The most active list of all >>> the groups you have created recently is the WebId XG list. Few of us were >>> present in >>> California during your discussion. So perhaps you could take that into account, and allow >>> us to have a discussion of how webid can tie into these other >>> protocols. >>> We did not >>> look at that in the WebID XG simply in order to make sure we could deliver >>> something. >> Currently the WebID work does depend critically on certificates, which is >> why I brought that option of another workshop up (as there's no non-certificate purely API-based option in your draft spec). >> We are of course following the WebID's work and look forward to your concrete suggestions that comes from any discussion on the WebID list, although I would request that WebID-specific discussions stay on the WebID >> list and then your group gives the W3C a single list of requested changes >> to the charter, as discussions on this list should ideally focus on textual changes and scoping to the charter. >>> Henry >>>> cheers, >>>> harry >>>>> On 18 Oct 2011, at 19:53, Harry Halpin wrote: >>>>>> Everyone, >>>>>> While its still not fully baked, we'd like to open the discussion on >>>>>> the >>>>>> list over this draft charter for a "Web Identity" Working Group: http://www.w3.org/2011/08/webidentity-charter.html >>>>>> Everything is fair game - I'm not quite comfortable even with the Working >>>>>> Group name. Also, there are issues of how we should scope this, whether >>>>>> or >>>>>> not we should split the work into two WGs (one for a Crypto API and another for a higher-level identity API and hooks for >>>>>> device/browser-aware >>>>>> authentication) or stick it in one WG - and of course relations to other >>>>>> standards bodies. >>>>>> Also, if any of you are near Silicon Valley we can discuss this in person >>>>>> at the W3C Technical Plenary on Nov 1st. I'll send that email out in >>>>>> one >>>>>> sec.. >>>>>> And if anyone is at Internet Identity Workshop I'm here to discuss the >>>>>> charter. >>>>>> cheers, >>>>>> harry >>>>> Social Web Architect >>>>> http://bblfish.net/ >>> Social Web Architect >>> http://bblfish.net/ > > >
Received on Tuesday, 25 October 2011 11:17:39 UTC